Tempra
Security hardening for the masses.
Single binary. Community modules. CIS benchmarks.
Tempra detects your system, loads hardening modules, generates a plan,
applies it with native OS tools, and tracks what changed.
Quick start
curl -fsSL https://tempra.sh/install.sh | bash
sudo tempra init
sudo tempra apply -y
sudo tempra statusFour commands. Fresh server to hardened server.
How it works
$ sudo tempra plan
9 change(s) to apply:
[CRIT] Disable direct root login via SSH (CIS-5.2.10)
(not set) → no
[CRIT] Set default policy to deny incoming traffic (CIS-3.5.1.2)
Status: inactive → deny (incoming)
[HIGH] Ensure fail2ban is installed (CIS-5.2)
not installed → installed
...
$ sudo tempra apply -y
[sshd_hardening]
[1/12] Disable direct root login via SSH ... OK
[2/12] Disable password authentication ... OK
...
[pre-check] sshd -t ... OK
[handler] restarting sshd ... OK
[basic_firewall]
[1/7] Set default policy to deny incoming ... OK
...
[fail2ban_setup]
[1/5] Ensure fail2ban is installed ... OK
...
23 changes applied successfully.Install
curl -fsSL https://tempra.sh/install.sh | bashModules
Modules are declarative TOML files — SSH hardening, firewall setup, intrusion prevention, and more.
Tempra downloads them from the
community hub
on init and loads them from /var/lib/tempra/modules/.
$ tempra modules list # see what's available
$ tempra modules update # pull latest from hub
$ tempra modules info ssh # details on a specific moduleStanding on the shoulders of giants
Ansible and DevSec taught us what to harden. Tempra brings that knowledge without playbooks or agents.
Terraform's plan/apply lifecycle and provider model are the backbone of our architecture.
Nix proved system config can be declarative and reproducible. Tempra brings that idea to any Linux box — without the learning curve.
Lynis is the best Linux security auditor. It tells you what's wrong. Tempra adds the fix.